This Linux on a stick protects Windows computers

Spam and Phishing

The anti-phishing function returned useful results in our lab. To investigate the antispam function, testers set up a number of email accounts and mirrored them to a [spamcop.net] mailbox. Yoggie's results were better than those provided by the Spamcop service, with a spam detection rate of just below 100 percent. However, Yoggie returned one to two percent false positives (i.e., legitimate email incorrectly identified as spam) when mailing lists were used. The spam filter is fine for corporate use in small- to medium-sized enterprises, but it is not a genuine alternative in the enterprise sector. To compare, Cisco Ironport [7] only returned one false positive in 109 million messages in an extensive test.

IDS and IPS

Yoggie's intrusion detection (and prevention) system is Snort with Sourcefire rules. This combo forms a top-notch team from a technology point of view, but as with the web filter, administrators have no way of modifying the software to reflect their requirements. In our lab, with a default setting of Medium Security, we could not send mail via the server over TCP port 2525, and we got no message telling us that Yoggie IPS had blocked the outgoing connection. Other personal firewalls at least pop up a window to warn you of such actions.

After searching, the testers found a message in the Yoggie logfiles: Suspicious 220 Banner on Local Port Detection of a nonstandard protocol or event (Figure 5). All they could do was disable the IPS for all mail traffic. It was impossible to disable just one signature because it triggered a false positive response.

Figure 5: Hidden away in a logfile was the only indication why email traffic failed to reach a legitimate mail server that used port 2525.

Configurability of security systems is a matter of opinion. Yoggie seems to be targeted at inexperienced users. Asking this target group to take care of complex details would be too much, and the artificial restrictions are justifiable in this light. However, some users, such as field staff or home workers, could benefit from the enhanced security of a compact appliance compared with a software-only solution. Yoggie cultivates this market with a VPN function and corporate mode that lets a company preconfigure and manage hundreds or thousands of Yoggie Pico Pro Gatekeepers via the Yoggie Management Server (YMS), which was not ready in time for this test.

Yoggie Autopsy

That one of the three test devices gave up the ghost just 20 minutes after we plugged it in for the first time, might be a coincidence, but it at least gave us a good excuse to dissect the device in our lab. Opening the Gatekeeper Pico revealed two dual-sided PCBs (still connected in Figure 6) with a 520MHz CPU by Intel (XScale PXA270), 128MB SDRAM, and 135MB Flash memory (128MB NAND plus 8MB NOR).This is the CPU that is used in some Blackberry models. It has been on the market for about three years now, but it is still state-of-art.

The Gatekeeper Pico's hardware and architecture are convincing, and you can't say the price is overly expensive. It is surprising, in fact, that Yoggie has managed to offer the hardware at such a low price. Of course, the product would be more interesting as an open Linux appliance that users could install and configure to suit their own needs. A more open design would give users the ability to, say, integrate a mini--web server, groupware system, or CVS server that would run off any host computer.

Figure 6: The interior of the Yoggie Gatekeeper Pico comprises two small PCBs that together form a complete mini PC.

Amazing Device

The Yoggie Gatekeeper Pico surprised the test team in two respects: In a positive sense, we were impressed with its design and the quality of the tiny hardware package. In a negative sense, we were surprised that we could open such a large hole in the system. No software is perfect, but being able to work around the firewall in a security product raises some serious questions about the device.

Apart from its deficiencies, the mini-appliance left a generally positive impression. UTM appliances tend to be bulky – rack mountable at best. The market is currently moving toward integration. Standalone security solutions are being acquired, dissected, and integrated with larger product series. Contrary to this trend, Yoggie has now introduced a new standalone security solution that provides better protection than a legacy personal firewall, but users do need to carry additional hardware around with them on the road, and hardware can be lost or broken. Potential customers will have to decide whether to trust the product despite the vulnerabilities, which have since been fixed.

A full-fledged Linux computer on a USB stick: Yoggie uses this astonishing hardware trick to protect Windows machines against Web-based attacks. But there are some things that do not work as intended by the developers as an exhaustive test in Linux Magazine #94 / September will reveal. Just a few simple tricks were all it took to work around the firewall.

Professional users are always searching for an edge. Whether you work with Linux as a webmaster, programmer, system administrator, or security consultant, you know the best solution depends on finding the right tool for the job. We thought you might be interested in the following new products and updates.